| Subject: | User authenticated if not in MySQL database |
Hello,
I just installed Apache2::AuthCookieDBI to wrap MySQL authentication
around some applications on my server. It may be a configuration problem
on my part but I discovered the following authentication problem with my
setup.
I have authrealmDBI_CryptType set to "crypt". This works fine when I
pass a valid username to the login script but when I pass a username
that doesn't exist in the MySQL database I get authenticated when I
shouldn't.
When the user name isn't in the database the following lines get executed:
545 $r->log_error(
546 "Apache2::AuthCookieDBI: couldn't select password from
$c->{ DBI_DSN }, $c->{ DBI_UsersTable }, $c->{ DBI_UserField } for user
$user for
au th realm $auth_name",
547 $r->uri
548 );
549 return;
550 }
551 }
_get_crypted_password returns undef. When undef is passed to
"_check_password" $crypted_password isn't populates so the following
statement returns true
and authenticates the user:
468 'crypt' => sub {
469 my $salt = substr $crypted_password, 0, 2;
470 return crypt( $password, $salt ) eq $crypted_password;
471 },
I just added "return unless $crypted_password" to the start of
"_check_password" to fix the issue on my server.
Thanks,
Keith.